[wix-users] Streaming Bootstrapper - HTTPS Certificate Verification?

John Cooper JoCooper at jackhenry.com
Fri Mar 4 10:14:42 PST 2016


The default for signtool.exe is SHA1 signatures.  I suspect this is also the case for other tools.  It is possible to:  1) double sign with SHA1 and SHA256; or 2) sign with just SHA256 (with the resulting incompatibility for XP, etc.).  The /fd switch on signtool.exe controls the "file digest" used to sign the target.  I am moving to using /fd SHA256 for all my products as we no longer support XP.

--
John Merryweather Cooper
Senior Software Engineer | Integration Development Group | Enterprise Notification Service
Jack Henry & Associates, Inc.® | Lenexa, KS  66214 | Ext:  431050 |JoCooper at jackhenry.com




-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of Raze, Leigh
Sent: Friday, March 4, 2016 12:09 PM
To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
Subject: Re: [wix-users] Streaming Bootstrapper - HTTPS Certificate Verification?

The e-mail below is from an external source.  Please do not open attachments or click links from an unknown or suspicious origin.

Our security team is requiring us to use HTTPS to download our MSIs and cabs. They brought up the question of Certificate Verification after we noticed that the embedded hashes are SHA-1, and not SHA-256 (which our security team was hoping for). Is there any way for us to have the Standard Bootstrapper use SHA-256 or perform Certificate Verification without modifying the source or build a custom bootstrapper.

-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of Raze, Leigh
Sent: Friday, February 26, 2016 9:54 AM
To: wix-users at lists.wixtoolset.org
Subject: [wix-users] Streaming Bootstrapper - HTTPS Certificate Verification?

Hello!

I am using the Standard Bootstrapper application to pull down, via HTTPS, a number of MSIs that we have built to install our product. This is working fine, but I have a security question related to the Standard Bootstrapper and giving DownloadUrl an HTTPS link:

Does anyone know if and how the Standard Bootstrapper does certificate validation on anything downloaded through HTTPS? I have looked through the source code for WiX and the Standard Bootstrapper and have not been able to find any leads. The only mention of certificates I have found is in the IIS Extension, which is not applicable to our product.

Thanks!


____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/

NOTICE: This electronic mail message and any files transmitted with it are intended
exclusively for the individual or entity to which it is addressed. The message, 
together with any attachment, may contain confidential and/or privileged information.
Any unauthorized review, use, printing, saving, copying, disclosure or distribution 
is strictly prohibited. If you have received this message in error, please 
immediately advise the sender by reply email and delete all copies.




More information about the wix-users mailing list